bug#16880: 24.3; oauth2: 401-responses not handled transparently [oauth2 0.10]

[Glenn Morris <rgm@gnu.org>]

Øyvind Stegard wrote:

> Package: oauth2

There is no package "oauth2" on debbugs.gnu.org, so your report ended up
on the help-debbugs mailing list. You seem to be talking about a GNU
ELPA package, so I have reassigned your issue to the "emacs" package.
This message, and all future ones, will go to the bug-gnu-emacs list.

> Version: 0.10
>
> I use oauth2.el to access the Google Contacts API and it has been
> working fine for a long time. But in recent versions (after v0.9 I
> think) I have been getting 401 http responses from Google whenever a
> token refresh was necessary. Subsequently retrying the http request by
> calling `oauth2-url-retrieve-synchronously' again makes it work OK, and
> "200 OK" with expected results is returned.
>
> It looks like the initial 401 http response, which is supposed to be
> handled transparently, is what actually ends up in the buffer returned
> by `oauth2-url-retrieve-synchronously' when a token refresh has been
> automatically executed (in "oauth-hack" advice around
> `url-http-handle-authentication'). (The token refresh itself seems to
> work fine and is updated in the plstore.)
>
> There is a hack in oauth2.el for hooking into url-http library
> authentication handling, and the hack overrides the standard mechanism
> by using an around-advice ("oauth-hack") and a conditional variable
> which triggers the special behaviour when called from oauth2.
>
> This advice sets the url internal variable `success' to t at the end,
> but the advised function `url-http-handle-authentication' does not do
> this after its own call to `url-retrieve-internal' at the end (in Emacs
> 24.3 at least).
>
> I tried commenting out this (oauth2.el line 205):
>    (when (boundp 'success) (setq success t)) ;For URL library in Emacs<24.4.
>
> so `success' was not set to t. And this causes things to work like
> expected; the initial 401-response is handled behind the scenes, and the
> reponse of the last http request (with updated access token) is what
> ends up in the buffer returned by `oauth2-url-retrieve-synchronously'. I
> have not deep enough knowledge of the url library to see exactly why
> this works, and I would appreciate if you could look into it.
>
> To reproduce, I simply invalidate the access token in the oauth plstore,
> forcing oauth2 to refresh it, before calling function
> `oauth2-url-retrieve-synchronously'.
>
>
> Also, what is the point of the (let ...) block with only variable
> bindings and no body at line 196 in oauth.el ? (Parentheses mishap ?)
>
>
> Thanks,
>
> Øyvind S.